1
1
Modern IncidentResponse
IT-Security Stammtisch, 10.5.2017
2
$whoamiMartin Schmiedecker, aka researcher at SBA Researchdigital forensics!online privacy \& network securityI love memes!
@Fr333k
3
Why u here?
4
Not about loggingeasy to doreally good to have itSplunk ($), Microsoft Events, ...Graylog, ELK stack, ...
5
AgendaPCMobileNetwork2+ systems
6
IntrusionsCompanies fail to detect intrusions:
SonyHacking TeamRSAGoogle, Operation Aurora(Stuxnet)
7
Incident response?react to security-related eventscontainment, preventionforensics
8
9
Howtoget RAM!inspect system?install network tab?get hard drive image
10
11
12
Why RAM?all the good stu� is in thereprocesses, network connections, ...non-reproducible!volatility is great!
13
How?Windows: FTK Imager, WinPmem, Deft Linux, ...Linux: LiMEMac OS: OSXPmem
all above: Rekall (GRR)
Android: LiME (adb)
iOS: WTF?
14
15
Reality kicks in!1TB of RAM?entire networks? VLANs?10G network links?terabytes of storage?
16
17
Inspect the machineonce you have RAMrun e.g. Sysinternals Toolscapture tra�c...
18
File systemscommercial worldtimelining is key!Supertimelines�walk, part of Sleuth Kit
19
bulk_extractortool(-set) by Simson Gar�nkel et al.highly parallelized, very powerful!open-sourcecan �nd otherwise overlooked data
20
Used techniquesbulk analysisuses no �le system metadatasimilar to �le carvingfor processing: pages of size N
21
How?analyzes data using ''scanners``scanners run sequentiallyextracts ''features``, stores in �lesrecursive scanners: do, rinse, repeate
22
ScannersAES keysemail adressescreditcard informationGPS, wordlist, and many moreimplemented in "basic" scanners
23
Recursive!most notably: compression \& encodingse.g. .docx, .pptx are zipped XMLalso PDF, base64, ...optimistic decoding usedthen: feed back in bu�er to be analyzed
24
25
Did I mention?very powerful!!1used e.g. for extracting tcp�owsreally made for bulk analysiswill pin ALL CPU cores availablethe more, the merrier
26
networkhard to hide (IDS somewhat work?)plenty of plaintextacquisition is often easyplenty of tools
27
28
29
30
Challenges:10G+ networks?tap location?mirror/monitoring port available?�bre tapping?production networks?cooperation is key!
31
32
33
10Gstenographer, by Googlewrites 10G network packets to discno stream reassemblypacket sampling aka. few reads
34
MobileUFED Physical AnalyzerKatana LanternOxygenXRYNuixBlackbag Tech
35
Agent-based solutionsGRR Rapid ResponseosqueryMozilla Investigator (MIG)slightly di�erent regarding capabilities, usage, ...
36
GRRby Googlespeci�cally built for incident responsesupports Windows, Mac, Linuxopen source since 2011written in Pythonuses lightweight, local agents
37
GRR deploymentmost logic is server-sideserver generates executables with con�gclient simply runs it, doneeasy with Puppet or otherso�ine clients run tasks asap when online
38
GRR prosweb GUIscales very wellallegedly large setups with 100,000+ client machinescon�guration \& roll-out easylong-term supported project
39
GRR consnot strictly user-friendly (yet)initial setup of server can be tediousprivacy \& legal implications?!
40
GRR RAMremote acquisition of RAMuse volatility on live RAM= really, really cool!
41
GRR �owswork unit in GRR, asynchronousused for client data acquisitioncan use e.g. OS API, or Sleuth Kit for �le accesswritten in Python, stored on serverbaselining for historgrams
42
GRR huntingrun �ows on entire �eetalso on o�ine machines, once backor any subset e.g., all machines running Windowsscaleable!clients check for new �ows every 10 mins
43
GRR performanceclient will kill itself if too resource-hungryheart beatmemory limit (500mb)cpu limit (3 minutes)
44
osqueryby Facebookbuilt for monitoring systems \& detect intrusionsSQL-like query languagesupports Windows, Linux, OS X, FreeBSDopen source since 2014
45
osquery can watchrunning processes�lesystem changeslog aggregationscan for YARA or IOCall in con�gurable intervals e.g., every 10 seconds
46
MIGby Mozillasupports Windows, OS X, Linuxwritten in Goopen-source since 2013
47
Do you do Incident Response?
48
Thx! Questions?
49
Linksthisweekin4n6peekatorrentICDF2C, CfP 15th of May
50